Imagine this: A company discovers its web server log files show that a particular IP address has sent web traffic that seems to test whether the company's content management system has been updated to patch a recent vulnerability. Useful information to know outside that company?

The federal government thinks so, and cites this example of the type of cyberthreat information that should be shared by businesses with the government, which in turn will share it with other organizations in and outside of government.

The example appears in new guidance issued this week by the Department of Homeland Security to help governmental and private organizations visualize how best to share cyberthreat information.

4 Guideline Documents

DHS has issued four guideline documents that in the words of Secretary Jeh Johnson "provide federal agencies and the private sector with a clear understanding of how to share cyberthreat indicators." The four publications DHS issued are:

"This language is a positive step toward enabling the private sector to identify and share cyberthreat indicators with the federal government, which will help better protect consumers and our nation's security," says Chris Feeney, president of BITS, the technology arm of the Financial Services Roundtable, a trade group.

Step in Implementing New Law

The Cybersecurity Information Sharing Act, enacted late last year, dictates DHS to establish a mechanism through its National Cybersecurity and Communications Integration Center for the government and private sector to share cyberthreat data (see Obama Signs Cybersecurity Information Sharing Bill). The issuance of the guidance is the latest move by the government to implement the new law.

"The guidance provides a useful roadmap for non-federal entities seeking to ensure compliance with CISA and the receipt of its corresponding protections when sharing information related to cyberthreats and defensive measures," Stephen Reynolds, co-chair of the law firm Ice Miller data security and privacy practice, writes in a blog.

Observable Facts

According to the guidance, much of the information within an indicator centers on observable facts. A cyberthreat indicator offers a number of observable characteristics: a malicious email, IP addresses, file hashes, domain names, URLs, malware files and malware artifacts that describe the attributes about a file. The specificity and nature of the observable facts are designed to reduce the risk that a cyberthreat indicator contains personal content or information inappropriate to share.

The non-federal entity guidance also describes defensive measures that can be shared that detects, prevents or mitigates known or suspected cybersecurity threats or security vulnerabilities. A defensive measure could be as simple as a device that protects or limits access to a company's computer infrastructure or as complex as sophisticated software tools that detect and protect against anomalous and unauthorized activities.

Defensive Measures

Examples of defensive measures: software that identifies patterns of malicious activity in web traffic, signatures loaded into an intrusion detection system to detect spear phishing with particular characteristics, algorithms that search through a cache of network traffic to discover anomalous patterns and automated techniques to quickly match the content of an organization's incoming SMTP traffic against a set of content known to be associated with a specific cybersecurity threat without degrading the speed of email delivery to end users.

In making the announcement of the new guidelines, Johnson also unveiled how DHS's Automated Indicator Sharing initiative would work under the new law to enable for the real-time exchange of cyberthreat indicators, remove unnecessary personally identifiable information and disseminate the indicators to appropriate government and nongovernment organizations.

By design, according to DHS, the Automated Indicator Sharing program removes PII not directly related to a cyberthreat; allows limited human review to remove PII when automated mitigation isn't feasible; anonymizes submitters' identity unless they consent; retains data for a limited time, consistent with the need to address the cyberthreat; and ensures collected data are used only for authorized government purposes.

Protection for Sharing Cyberthreat Data with Federal Entities

Source: DHS

CISA provides liability protections only if the organization shares cyberthreat indicators and defensive measures through the DHS hub (see diagram above). The new law provides other protections such as exemptions from antitrust laws, federal and state disclosure laws, certain regulations if the information shared through other government organizations, information sharing and analysis centers, information sharing and analysis organizations, managed security service providers and other private organizations.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;